Re: Domain of :key from Melvin Carvalho on 2013-03-29 (public-webid@w3.org from March 2013)

From: Melvin Carvalho <melvincarvalho@gmail.com>
Date: Fri, 29 Mar 2013 13:35:43 +0100
To: Henry Story <henry.story@bblfish.net>
Cc: public-webid <public-webid@w3.org>
Message-ID: <CAKaEYhJ1xjE=Kd6U3gzgp9Ct1f4S2=O-+AsXRxM=chpBv-pHyQ@mail.gmail.com>
On 29 March 2013 13:21, Henry Story <henry.story@bblfish.net> wrote:

>
> On 29 Mar 2013, at 11:11, Melvin Carvalho <melvincarvalho@gmail.com>
> wrote:
>
>
>
> On 29 March 2013 11:01, Henry Story <henry.story@bblfish.net> wrote:
>
>>
>> On 29 Mar 2013, at 10:50, Melvin Carvalho <melvincarvalho@gmail.com>
>> wrote:
>>
>>
>>
>> On 29 March 2013 10:41, Henry Story <henry.story@bblfish.net> wrote:
>>
>>>
>>> On 29 Mar 2013, at 10:25, Melvin Carvalho <melvincarvalho@gmail.com>
>>> wrote:
>>>
>>>
>>>
>>> On 29 March 2013 09:52, Henry Story <henry.story@bblfish.net> wrote:
>>>
>>>>
>>>> On 29 Mar 2013, at 09:21, Melvin Carvalho <melvincarvalho@gmail.com>
>>>> wrote:
>>>>
>>>>
>>>>
>>>> On 29 March 2013 09:14, Henry Story <henry.story@bblfish.net> wrote:
>>>>
>>>>>
>>>>> On 29 Mar 2013, at 08:53, Melvin Carvalho <melvincarvalho@gmail.com>
>>>>> wrote:
>>>>>
>>>>>
>>>>>
>>>>> On 29 March 2013 08:37, Henry Story <henry.story@bblfish.net> wrote:
>>>>>
>>>>>>
>>>>>> On 22 Mar 2013, at 10:42, Melvin Carvalho <melvincarvalho@gmail.com>
>>>>>> wrote:
>>>>>>
>>>>>> Currently we have:
>>>>>>
>>>>>>     rdfs:domain foaf:Agent;
>>>>>>
>>>>>> This seems slightly restrictive.
>>>>>>
>>>>>> Many things can have a key, e.g. a certificate, an account, an app
>>>>>> etc.  Agent perhaps does not cover every conceivable use case?
>>>>>>
>>>>>>
>> We are not here to cover every conceivable use case. That would be
>> absolutely impossible to do.
>>
>>
>>>>>> You can create new relations to relate those things to keys if you
>>>>>> need to.
>>>>>>
>>>>>>   foaf:primaryTopic can relate a document keys it is about for
>>>>>> example.
>>>>>>
>>>>>> We need a relation to relate the agent that is the one that controls
>>>>>> the private key
>>>>>> of the public key to the public key, as that is what WebID
>>>>>> authentication and most
>>>>>> other protocols need to work.
>>>>>>
>>>>>
>>>>> In bitcoin users have a pseudo anonymous account.  Each account has a
>>>>> key pair.  It would be great to be able to model this.
>>>>>
>>>>>
>>>>> Why could one not think of an account as an Agent? It can transfer
>>>>> money, it can accept payments, etc... It is a micro agent related to you.
>>>>>
>>>>
>>>> Ah OK, if an agent can also be an account, that works.
>>>>
>>>>
>>>> It depends of course on what the bitcoint:Account thing is that you are
>>>> speaking of.
>>>> And one would need to  compare that to the definition of foaf:Agent.
>>>>
>>>> Say for sake of argument that you think of such an account more as a
>>>> bucket, in which you
>>>> can add money like you could add water to a bucket, and from which you
>>>> can remove money
>>>> as you could pour water out of a bucket into someone else's glass. Here
>>>> thinking of the bucket as
>>>> an Agent does not sound right.
>>>>
>>>
>>> This is a great analogy.  Each bitcoin account is like a bucket that
>>> contains 0 or more bitcoins.
>>>
>>> It makes no assumptions whatsoever about ownership.  Indeed, there need
>>> be no concept of ownership.
>>>
>>>
>>> There has to be a relation between an agent that knows the private key
>>> and can prove its ownership
>>> of that key, at least in so far as it signed the private key. That
>>> requires the relation between an agent
>>> and a key, which cert:key is about.
>>>
>>
>> cert : key can be used for this.
>>
>>
>>>
>>>
>>>
>>>>
>>>> Then you can think of the access to the bucket as being restricted to
>>>> certain
>>>> agents. In which case you can use the Web Access Control vocabulary.
>>>>
>>>>  http://www.w3.org/wiki/WebAccessControl
>>>>
>>>> The wac ontology relates an Agent(a), a resource, and actions that can
>>>> be done on those
>>>> resources.
>>>>
>>>> So there are a number of ways of relating different things. One does
>>>> not need to use cert:key
>>>> for each of these ways of relating them.
>>>>
>>>
>>> It would be great if I could say
>>>
>>> <> a foaf : OnlineAccount
>>>   cert : key [ ... ]
>>>
>>> Independent of any ownership details.
>>>
>>>
>>> You can say that, but not with the cert:key relation. Changing the
>>> cert:key relation means
>>> we then have to change all the specs.
>>>
>>> I'd rather we now finish the specs as we have them, so that we can
>>> propose this to the
>>> W3C for a Working Group. BitCoin can then join that Working Group by
>>> proposing a clear
>>> use case, with an ontology that it is using, which can then be used to
>>> extend the ontology.
>>> This XG is past the end of its life time, and this is not the time to
>>> make drastic revisions.
>>>
>>
>> Yes totally agree we should move forward ASAP.
>>
>> I think this is a minor bug fix.  The cert ontology is not about WebID
>> it's about certificates and security.  We can fix it in the hg like we
>> quickly fixed some bugs earlier this week, and added DSA.
>>
>> Why do you think this is a drastic change, I dont think any
>> implementations need change?
>>
>>
>> Because we have defined a WebID as an identifier for an Agent, not an
>> identifier for any
>> resource. We have defined WebID auth over TLS as identifying an Agent,
>> that can prove
>> the private key of the public key. Here we now need to add new text in
>> every spec in order
>> to speak about accounts. We would then need to rework all these specs.
>>
>
> I'm trying to follow the logic here.
>
> Let's consider Mo's proposal just to widen the range to something like
> rdfs : Resource
>
>
> A WebID can still be an agent, yes?
>
>
> yes.
>

good


>
> The problem is that you need to define how for some object X you relate it
> to the private key.
> In order to distinguish your definition from the current one, so that we
> don't have misunderstandings
> let us call your relation mlv:key .
>
> mlv:key a rdf:Property;
>      rdfs:domain rdfs:Resource;
>      rdfs:range cert:Key .
>

fine


>
> Now that means I can relate any object to a key. For example why could I
> not take the Eiffel Tower,
> and write:
>
>      dbpedia:EiffelTower mlv:key <
> http://bblfish.net/people/henry/card#key1> .
>

why could you not?  you just did


>
> Good so now what kind of relation is that? What is the relation of the
> private key to the Eiffel
> tower that we need in order to prove cryptographically the identity of a
> user of the key? You
> want some kind of way of limiting what objects you can truthfully add the
> cert key relation to,
> otherwise it is meaningless.
>

eiffel tower has a public key ... not sure it's problematic


>
> Perhaps I need a relationship of ownership to the EiffelTower to be able
> for the relation to the
> agent to work?  Perhaps
>
> mlv:owns a owl:InverseFunctionalProperty;
>     rdfs:comment """
>        an agent that owns according to all legal system the object.
>        (If we add relativity to a legal system things get more complicated)
>     ";
>     rdfs:domain foaf:Agent;
>     rdfs:range rdfs:Resource .
>
> So then we would have the rule
>
> { ?agent mlv:owns ?thing . ?thing mlv:key ?key } => { ?agent cert:key ?key
> } .
>
> So your "simplification" in fact is going to create more complexity
> elswhere.
> You could argue that when the ?thing is an agent it owns itself perhaps,
> and
> so that in that case it should fall out through reasoning. But now we have
> introduced an "if x is an Agent then do Y else do Z" into our code
> everywhere,
> and we need to specify everywhere that people have to write out for
> anything
> they put a mlv:key on that they need to specify that it is a foaf:Agent.
>

Are you saying that people are making inferences on the :key relation to
assume the subject is an agent, and that, that is your objection?


>
> ie: you can't put:
>
> <#me> mlv:key key.
>
>     you need to write
>
> <#me> a foaf:Agent;
>           mlv:key key .
>

surely this is good practice anyway, a subject should specify a type, we do
think in JSON-LD with @type, for example

is this your objection?


>
> And none of this yet prooves that your hypothetical bitcoin example would
> not be
> better off with the cert:key relation.
>

sure, but does not make the question invalid


>
> For reference currently we have:
>
>   119 <https://dvcs.w3.org/hg/WebID/file/db5dae845920/ontologies/cert.n3#l119> :key a owl:InverseFunctionalProperty;
>
>    120 <https://dvcs.w3.org/hg/WebID/file/db5dae845920/ontologies/cert.n3#l120>     vs:term_status "unstable";
>
>    121 <https://dvcs.w3.org/hg/WebID/file/db5dae845920/ontologies/cert.n3#l121>     rdfs:label "key"@en;
>
>    122 <https://dvcs.w3.org/hg/WebID/file/db5dae845920/ontologies/cert.n3#l122>     rdfs:isDefinedBy <cert#>;
>
>    123 <https://dvcs.w3.org/hg/WebID/file/db5dae845920/ontologies/cert.n3#l123>     owl:inverseOf :identity;
>
>    124 <https://dvcs.w3.org/hg/WebID/file/db5dae845920/ontologies/cert.n3#l124>     rdfs:comment """relates an agent to a key - most often the public key."""@en ;
>
>    125 <https://dvcs.w3.org/hg/WebID/file/db5dae845920/ontologies/cert.n3#l125>     rdfs:domain foaf:Agent;
>
>    126 <https://dvcs.w3.org/hg/WebID/file/db5dae845920/ontologies/cert.n3#l126>     rdfs:range :Key, :PublicKey .
>
>
> ( It should say something about the control the agent has over the
> corresponding private key .
>   A previous version had that text in there. We seemed to have lost it.)
>
>
>
> Why do you feel the webid spec would be forced to change.  Would leaving
> the text the same introduce a bug or inaccuracy?  My suggestion is to leave
> the webid specs the same.
>
>
>>
>> The WebAcessControl implementations and ontologies also need to be
>> reworked sine
>> they are working in terms of agents.
>>
>
> Why would WAC implementations need change?  Im unsure this is inaccurate.
> Again I propose leaving implementations untouched.
>
>
>>
>> So you are asking us to revise something for a use case you call bitcoin
>> for which we have
>> no idea how they would write up their ontology, if they even need what
>> you suggest they may
>> need, etc... It's a lot of hypotheticals for something that is easy to
>> add later with a new relation,
>> or for which they may in fact be satisfied with what we have.
>>
>
> This is not use case driven.  I gave an example.
>
>
> You gave a use case yes. We don't know if the use case is best modelled
> the way
> you are thinking of modelling it. That would require people to work on the
> bitcoin model
> in detail, and they could end up being satisfied with the cert:key as it
> is now.
>
> I think you need to prove that this cannot be the case.
>
>
> I repeat I think it's a bug in the cert ontology that would come up in an
> XG or WG.
>
> I may be wrong but I thought this was a simple fix.
>
>
> It looks simple, but it creates complexity elsewhere.
>

I'm still trying to work out where (if at all) ... we're getting closer it
seems.


>
>
>
>>
>> This is a lot of work, and until bitcoin is really sitting at the table,
>> which they will only do
>> as part of a WG then we are just speaking hypothetically.
>>
>
> It need not be a lot of work.  Bug fixes in specs should have a fast turn
> around.
>
>
> It is a hypothetical bug. You have suggested a modelling need for bitcoin.
> But there has
> been no scrutiny of this. There cannot be: since the work has not been
> done. And the work
> of doing this is not something that can be done on the back of an envelope
> in 5 minutes.
>

If I can clarify the situation it will be possible to build a proof of
concept.  Running code is always a help in achieving consensus.

In short, I'm unsure you've raised a compelling objection, base on any
concrete cases.

So far on this thread there's

in favour of rdfs : Resource +2
In favour of foaf : Agent +1


>
> Henry
>
>
>
>>
>> So rather than do that, let's finish the specs, and get momentum for a
>> Working Group.
>>
>> henry
>>
>>
>>
>>>
>>> Henry
>>>
>>>
>>>
>>>>
>>>>
>>>>
>>>>
>>>>>
>>>>>
>>>>> It's perhaps the most serious use of PKI on the web after ecommerce.
>>>>>
>>>>>
>>>>>>
>>>>>>
>>>>>> Is the parent of Agent an owl : Thing?
>>>>>>
>>>>>>
>>>>>>     Social Web Architect
>>>>>> http://bblfish.net/
>>>>>>
>>>>>>
>>>>>
>>>>>     Social Web Architect
>>>>> http://bblfish.net/
>>>>>
>>>>>
>>>>
>>>>    Social Web Architect
>>>> http://bblfish.net/
>>>>
>>>>
>>>
>>>     Social Web Architect
>>> http://bblfish.net/
>>>
>>>
>>
>>    Social Web Architect
>> http://bblfish.net/
>>
>>
>
> Social Web Architect
> http://bblfish.net/
>
>
Received on Friday, 29 March 2013 12:36:12 UTC